Part of the website was indexed in Google searches, giving anyone unfettered access to the database

Yet another Aadhaar data leak has come to light. This time involving the Indian Oil Corporation owned gas agency Indane.

This is a repeat of the many Aadhaar leaks we have seen in the past, where Aadhaar data stored on a website has been left exposed because of bad security practices.

A man goes through the process of eye scanning for the Unique Identification (UID) database system, Aadhaar, at a registration centre in New Delhi, India. Image: Reuters

According to a reportin TechCrunch, local gas company Indane had left part of its website exposed to dealers and distributors who could access the Aadhaar data using a valid user name and password. But thanks to not having enough security measures in place, part of the website was indexed in Google searches, giving anyone unfettered access to the database — even without any login details. Indane has around 90 million total customers across India.

The exposed data was brought to notice by a security expert who wants to remain anonymous. French security researcher Robert Baptiste who goes by the Twitter handle Elliot Alderson used a custom-built Python script to scrape this database and was able to customer data for 11,000 dealers. This data included the name and addresses of customers as well as their Aadhaar numbers. According to Baptiste, he was able to get details of 5.7 mn Indane customers before his script was blocked.

Baptiste even studied the Android app of Indane, which had a 'Locate your Distributor' section in its code. Using his custom Python script, Baptiste was able to get 11,062 valid dealer IDs. "After more than 1 day, my script tested 9490 dealers and found that a total of 5,826,116 Indane customers are affected by this leak," said Baptiste in his blog post.

Baptiste even said that he had disclosed the leak to Indane, but did not get any response from them.

However, the Indian Oil Corporation ltd dismissed the report saying there was no such data leak through the Indane website. It also said that the software of the Indian Oil only captures only the Aadhaar number and no other details for LPG subsidy transfer.

It further clarified that no Aadhaar number was hosted on the official website of Indane.

Earlier this month, Aadhaar details of thousands of govt of Jharkhand employees were found exposed thanks to a lapse in security. Employees using the Aadhaar biometric attendance system to mark their attendance had their details exposed as the servers holding this information had been without a password since 2014. The details available, for anyone looking in the right place, included Aadhaar numbers, names, job titles, email IDs and partial phone numbers. Around 166,000 employees' data had been left exposed.